An alleged hack of federal agencies by Russian operators could precipitate more widespread concern for supply chain cybersecurity — a silver lining to a scandal that continues to get bigger, uglier and more complicated.
A large hacking scandal continues to send shockwaves throughout the cybersecurity community, raising questions about the need for better regulation of third-party vendors.
To sum up: Russian hackers appear to have wormed their way into numerous federal agencies, including the Pentagon, the State Department, DHS, the Department of Commerce, and even, apparently, the National Nuclear Security Administration. U.S. officials were somehow clueless about the hacking until being notified by researchers from FireEye, who appear to have been a victim of a similar attack.
While the true extent of the hack has not yet been revealed, it appears hackers of the notorious advanced persistent threat (APT) group "Cozy Bear" gained access to U.S. government networks "for months."
If there's one silver lining to the entire debacle, it's that it drew focus to an area of cybersecurity that hasn't always received enough attention: the supply chain.
There's been an ongoing conversation about the need for better supply chain security for public agencies and this incident is sure to push that conversation into legislative territory, at least. Already, Congress is calling for an investigation, which could create an opportunity for substantive policy proposals and a brighter national spotlight on the issue.
The Russian hackers are alleged to have gained entry to federal systems via a backdoor into software owned by a third-party IT vendor, SolarWinds' Orion platform, a popular network monitoring and management suite.
Until this week, SolarWinds was a quiet vendor whose products were nonetheless widely used by governments and companies alike. In addition to having extensive contracts with federal agencies, SolarWinds also has a variety of customers in state and local government, with its client list including the city of Indianapolis, the state of Texas, and the University of California, Berkeley. There's no evidence that any of these communities used any of the compromised products, however.
In a statement provided to Government Technology, Jamil Jaffer, senior vice president at cyberfirm IronNet, helped explain the extent of the potential breach.
"SolarWinds Orion is a monitoring platform used by IT professionals to manage and optimize their network computing environments. Because the platform connects a number of different monitoring capabilities, depending on how it is implemented, it may reach broadly across a given customer's network," said Jaffer. "According to SolarWinds, of its 300,000 clients, approximately 18,000 (or around 6 percent of its customers) deployed a version of the Orion platform that may have been compromised."
Jaffer, who formerly worked as senior counsel to the House Intelligence Committee, said that the event clearly shows how third parties can quickly compromise public agencies and that the hacking will likely push governments to think more broadly about the issue of supply chain security.
"This event does highlight the challenge of managing the supply chain of individual organizations," Jaffer went on. "Specifically, it demonstrates that even if a given organization has good defensive capabilities, it may be vulnerable to attacks targeting its vendors."
Over the past several years, there have been numerous legislative attempts to create more comprehensive supply chain security standards for federal agencies. For smaller governments in particular, cost-effective methods to better verify the security of supply chains is currently an almost impossible task. Some states, like Georgia, have recently sought to implement local standards to better protect them from foreign companies that federal authorities have deemed "insecure." With a situation like the SolarWinds affair, however, where a reputable third-party company was hacked into by a highly skilled state-sponsored APT, there is little that a government could've done to protect itself.
At the very least, the attack also appears to have pushed the incoming Biden administration to further pledge its commitment to a robust federal cybersecurity agenda.
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Biden said in a statement. “We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks.”
Biden has all the people and momentum to make good on this promise, having brought in a number of former Obama cyberofficials to staff important national security positions. This recent incident could be the very catalyzing incident necessary to make the new White House bullish when it comes to security.
Never miss a story with the daily Govtech Today Newsletter.